Skip to main content

Last Call Review of draft-ietf-lamps-cert-binding-for-multi-auth-05
review-ietf-lamps-cert-binding-for-multi-auth-05-secdir-lc-kelly-2024-07-21-00

Request Review of draft-ietf-lamps-cert-binding-for-multi-auth
Requested revision No specific revision (document currently at 05)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2024-05-16
Requested 2024-05-02
Authors Alison Becker , Rebecca Guthrie , Michael J. Jenkins
I-D last updated 2024-07-21
Completed reviews Artart Last Call review of -05 by Robert Sparks
Secdir Last Call review of -05 by Scott G. Kelly
Assignment Reviewer Scott G. Kelly
State Completed
Request Last Call review on draft-ietf-lamps-cert-binding-for-multi-auth by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/ykN6q6ZnzQWYaPOXkLUk8F72xQg
Reviewed revision 05
Result Ready
Completed 2024-07-21
review-ietf-lamps-cert-binding-for-multi-auth-05-secdir-lc-kelly-2024-07-21-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

The summary of the review is ready.

This review is more than a month late, so I hope it is still useful.

From the abstract, This document defines a new CSR attribute,
relatedCertRequest, and a new X.509 certificate extension, RelatedCertificate. 
The use of the relatedCertRequest attribute in a CSR and the inclusion of the
RelatedCertificate extension in the resulting certificate together provide
additional assurance that two certificates each belong to the same end entity.
The document describes an example use case illustrating migration from classic
cert to a PQ certificate.

The security considerations section calls out the security considerations of
RFC 5280, and also discusses the potential for downgrade attacks and risks
relating to retrieval of the related cert. I see no additional security
considerations, and think the document is ready from a security perspective.